FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 276314
Description This article describes the steps to access a DNS Server on the other side of an IPsec Tunnel
Scope 7.0+.

The DNS traffic on FortiGate is self-originating traffic, meaning it originated from FortiGate itself. See the administration guide for more information.

Self-originating traffic uses the exit interface IP address as the source address by default.

When this traffic tries to go over an IPsec tunnel, it fails because IPsec tunnel interfaces do not have an IP address by default.

In our example, an attempt is made to reach the DNS server on, which lies on other side of the IPsec tunnel. Upon entering it in DNS settings, it shows as unreachable:




To fix this, assign an interface IP address to the IPsec tunnel interface.

For this, go to Network -> Interfaces.
Choose the IPsec tunnel and select Edit. In the edit window, provide an IP address to the interface and remote side. Give it any IP address in a subnet that is not being used anywhere else in the environment. In this example, it will be given an IP of to the local side and to the remote side as shown below:

Local Side:




Remote side:



After that, if a Phase 2 selector has been in the IPsec tunnel, it is necessary to add these IP addresses in the Phase 2 selector to allow them access.
Additionally, it is necessary to add these IP addresses in the Firewall Policies if policies are in place to restrict traffic.

After that, the DNS server will start working.